lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 15 Dec 2012 06:23:01 -0700
From: "Kenneth F. Belva" <ken@...verbackventuresllc.com>
To: bugtraq@...urityfocus.com
Subject: RE: PHP Addressbook v8.2.5 Group Name XSS

I can confirm that the below vulnerability also applies v8.2.5, the
latest version.

PHP Addressbook software URL:
http://sourceforge.net/projects/php-addressbook/?source=directory

I don't mean to clog the list but I was doing research on an earlier
version and didn't realize that a later version was also released.

Ken



 -------- Original Message --------
 Subject: Addressbook v8.1.24.1 Group Name XSS
 From: "Kenneth F. Belva" <research@...verbackventuresllc.com>
 Date: Wed, December 12, 2012 8:15 am
 To: bugtraq@...urityfocus.com
 
 Instructions.
 
 After authentication, click on the Group tab at the top. Click on the
 New Group Button on the group page.
 
 For the group name (the first field) enter the following XSS test
 string:
 
 &lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
 
 
 Then call the XSS string from the URL -- technically one calls the
group
 name -- through the group parameter as such:
 
 http://[server]/index.php?group=%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E
 
 
 I emailed the apparent author but did not receive a reply.
 
 
 Ken
 http://silverbackventuresllc.com

Powered by blists - more mailing lists